Equifax's breach is not its first brush with concerns over handling of personal data

Renae Merle, The Washington Post

Published 9:30 am, Monday, September 25, 2017

After working largely out of the spotlight for decades, America's thousands of credit reporting companies found themselves in trouble in the late 1960s as lawmakers grew concerned about the massive troves of sensitive information the firms had collected on private citizens.

The target of many of these complaints was one company, Atlanta-based Retail Credit Co. - now known as Equifax.

Among the company's critics was an insurance executive named James Baker, who told a Senate committee in 1968 that he was having trouble finding a job after the company put a derogatory note in his file, alleging he had been fired for breaking the rules at his former employer. The note was incorrect, but the company refused to change it, Baker told the committee, according to media reports at the time.

The backlash against the industry led to landmark legislation, the Fair Credit Reporting Act of 1970, that now governs the way credit rating agencies operate. But it did little to restrain Equifax's ambition.

Nearly 50 years later, the company has grown into a data mining behemoth that uses artificial intelligence and other sophisticated tools to help companies determine whether to extend credit to nearly 1 billion people around the world. It is a leader among a number of information giants that play a critical role in financial markets, operating largely behind the scenes.

"Look at them as sleeping giants. They make the financial industry tick," said Keith Snyder, an industry analyst at CFRA Research. "They're the rails that the financial train runs on. Without them everything would grind to a halt."

That role is suddenly in question again over the company's handling of personal data. Earlier this month, Equifax announced that a massive data breach had exposed to hackers sensitive information, including Social Securitity numbers, of 143 million people to hackers, setting off complaints it has grown too big and waited too long to alert consumers.

Equifax has apologized and said it moved as quickly as it could once it understood the severity of the problem. But the scrutiny comes at a time when credit rating companies had hoped the Trump administration would roll back regulations, including limiting the powers one of its major watchdogs, the Consumer Financial Protection Bureau. Instead, the industry is facing its biggest challenge in decades.

---

Equifax traces its roots to 1899 when two Atlanta grocery store owners, Cator and Guy Woolford, started what was then known as Retail Credit Co. by going door-to-door to collect information about people in their community. Their $25 book, "The Merchant's Guide," noted who in the neighborhood typically paid promptly or who shouldn't be trusted with credit.

The book served as a key reference to local businesses that were grappling with rapid urbanization, said Josh Lauer, associate professor media studies at the University of New Hampshire. Traditionally, local owners knew their customers, but as people flooded into the city that had become more difficult, he said. "They were providing a service, trying to make lending safer," he said.

But it also set up an adversarial relationship with consumers that survives even today. "Their whole history is about skepticism toward consumers, believing that consumers are trying to get over on the local businesses," argued Lauer, author of "Creditworthy: A History of Consumer Surveillance and Financial Identity in America."

Over time, credit bureaus, such as Retail Credit, would often align themselves with law enforcement, Lauer said. Some had desks set aside in their offices for the Internal Revenue Service or Federal Bureau of Investigation, he said. "There was no firewall, no protection for consumers at all."

By the late 1960s, the country's thousands of credit bureaus were under scrutiny by Congress. The public was beginning to become aware of the massive amounts of data they housed and many questioned the accuracy of the information.

Retail Credit drew particular scrutiny because of its history of working with health and life insurance companies. When building reports about whether someone should be extended policies, the company would collect information from neighbors and family members about their person's health, reputation, and even sometimes note if they were homosexual, Lauer said.

"Credit worthiness was tied to character," he said. "To determine whether you were a good insurance risk, they wanted to know if they took care of themselves, were upright citizens."

After a series of congressional hearings, lawmakers adopted the Fair Credit Reporting Act, giving consumers access to their reports for the first time and requiring the companies to change incorrect data.

But even after the legislation, Retail Credit continued to see itself portrayed as a villain on Capitol Hill and in the media. In 1974, four former employees of the company told a Senate subcommittee that they were forced to falsify credit reports and meet unrealistic goals to keep their jobs, including ensuring there was adverse information about 6 percent to 10 percent of consumers to prove to their business customers they were being thorough. The same year, a woman sued for invasion of privacy after her auto insurance company canceled her policy because Retail Credit reported that she was living with a man "without benefit of wedlock."

In 1976, in the wake of the controversy, the company changed its name to Equifax.

"They changed their name because they needed a fresh start and Equifax sounds equitable and factual," Lauer said.

---

Fifty years later, Equifax is one of the world's largest data providers. Instead of simply selling credit reports to the business community it has branched into new markets, using artificial intelligence, machine learning and other tactics to unearth information, even sweeping up Facebook, Twitter data on consumers to help companies decide who to lend money to.

"We manage massive amounts of unique data, we have data on approaching a billion people. We have data on approaching 100 million companies around the world. the data assets are so large, so unique," Richard Smith, the company's longtime chief executive, said at speech at the University of Georgia business school in August.

"You think about the largest library in the world . . . the Library of Congress, we manage almost 1,200 times that amount of content every day, around the world."

The hard-charging CEO took over the company in 2005 after spending 22 years at General Electric under Jack Welch. In his time at the helm of Equifax, the company's stock price has soared 200 percent. It's market value has jumped from $3 billion to about $20 billion. Instead of focusing solely on the United States, Smith has pushed Equifax into 24 countries.

Smith "has done a lot of great things with Equifax. He took the company and made it the leader it is today," said Snyder of CFRA Research.

That has included collecting a lot more data on people. Early in this tenure, Smith made a risky bet to jump into a new market, buying Talx, which housed the world's largest repository of employment data.

"Every time an employee was paid, it creates 50 data attributes," including how much a person earns and how much was comprised of a bonus, Smith said in an August talk. The company could combine that information with data it already had on customers to create new products, he said.

Equifax looked at the billions pieces of information it was collecting and decided it could use it to make money in other ways, said Snyder. "They said, hey, we have all this great data on consumers how else can we slice and dice it and make more money from the data we already have."

As part of expansion - the company creates 50 to 75 products a year - Equifax also pitches itself to companies concerned about becoming the victim of a data breach, offering services of the "Equifax Data Breach Response Team."

"In addition to extensive experience, Equifax has the most comprehensive set of identity theft products and customer service coverage in the market," the company says on its website. "You'll feel safer with Equifax."

And Smith has set some ambitious new goals for the company: Doubling its revenue from $4 billion to $8 billion within five years.

Those ambitions may be derailed by the company's handling of a massive data breach that exposed to sensitive information of millions of people. On Sept. 7, Equifax announced that hackers had gained access to sensitive personal data - Social Security numbers, birth dates and home addresses - for up to 143 million Americans by exploiting a "website application vulnerability."

The disclosure has sparked reviews by the company's regulators, the Consumer Financial Protrection Bureau and Federal Trade Commission, as well as the FBI. "We apologize to everyone affected. This is the most humbling moment in our 118-year history," Smith said in a USA Today column after the breach.

Still, the company has outraged consumers by bungling key parts of its response. For several days, the company's Twitter account directed consumers in search of help to a fake site pretending to be Equifax. It initially required companies to agree not to join a class-action lawsuit to get some forms of help.

"Their game plan is fairly aggressive, so obviously this might put a damper on their aspirations," Snyder said.

Now, Smith is facing potentially the biggest challenge of his career when he testifies before a House committee next week. Lawmakers have criticized the company for waiting six weeks after learning of the breach to tell the public and some have called for a shake up of the company's management.

Now Playing:

"It is the company's best chance to change the narrative and steal momentum from" its critics, Jaret Seiberg, an analyst with Cowen and Co.'s Washington Research Group, said in a recent report. "If the company underperforms, the risk is high that it will . . . be constantly dragged back into the spotlight in the coming years."